Open kmg28801 opened 1 year ago
sudo mkdir -p /usr/local/kafka/ssl
cd /usr/local/kafka/ssl
export SSLPASS=peterpass
# 키스토어 생성
sudo keytool -keystore kafka.server.keystore.jks -alias localhost -keyalg RSA -validity 365 -genkey -storepass $SSLPASS -keypass $SSLPASS -dname "CN=peter-kafka01.foo.bar" -storetype pkcs12
keytool -list -v -keystore kafka.server.keystore.jks
## ca인증서 생성
sudo openssl req -new -x509 -keyout ca-key -out ca-cert -days 356 -subj "/CN=foo.bar" -nodes
## 트러스트스토어 생성
sudo keytool -keystore kafka.server.truststore.jks -alias CARoot -importcert -file ca-cert -storepass $SSLPASS -keypass $SSLPASS
keytool -list -v -keystore kafka.server.truststore.jks
## 인증서 서명
sudo keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file cert-file -storepass $SSLPASS -keypass $SSLPASS
sudo openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$PASSWORD ## 확인필요 SSLPASS로..?
### 키스토어에 자체 서명된 CA인증서인 ca-cert와 서명된 cert-signed를 추가
sudo keytool -keystore kafka.server.keystore.jks -alias CARoot -importcert -file ca-cert -storepass $SSLPASS -keypass $SSLPASS
keytool -list -v -keystore kafka.server.keystore.jks
ssh-keygen
cat .ssh/id_rsa.pub
vi /home/ec2-user/.ssh/authorized_keys
cd /usr/local/kafka/ssl/
### scp로 브로커 2,3에 트러스트스토어 복사
scp ca-cert peter-kafka02.foo.bar:~
scp ca-key peter-kafka02.foo.bar:~
scp kafka.server.truststore.jks peter-kafka02.foo.bar:~
scp ca-cert peter-kafka03.foo.bar:~
scp ca-key peter-kafka03.foo.bar:~
scp kafka.server.truststore.jks peter-kafka03.foo.bar:~
sudo mv * /usr/local/kafka/ssl
cd /usr/local/kafka/ssl/
sudo keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file cert-file -storepass $SSLPASS -keypass $SSLPASS
sudo openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$PASSWORD ## 확인필요 SSLPASS로..?
sudo keytool -keystore kafka.server.keystore.jks -alias CARoot -importcert -file ca-cert -storepass $SSLPASS -keypass $SSLPASS
sudo keytool -keystore kafka.server.keystore.jks -alias localhost -importcert -file cert-signed -storepass $SSLPASS -keypass $SSLPASS
keytool -list -v -keystore kafka.server.keystore.jks
sudo mv * /usr/local/kafka/ssl/
cd /usr/local/kafka/ssl
sudo keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file cert-file -storepass $SSLPASS -keypass $SSLPASS
sudo openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$PASSWORD ## 확인필요 SSLPASS로..?
sudo keytool -keystore kafka.server.keystore.jks -alias CARoot -importcert -file ca-cert -storepass $SSLPASS -keypass $SSLPASS
sudo keytool -keystore kafka.server.keystore.jks -alias localhost -importcert -file cert-signed -storepass $SSLPASS -keypass $SSLPASS
keytool -list -v -keystore kafka.server.keystore.jks
sudo vi /usr/local/kafka/config/server.properties
listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093
advertised.listeners=PLAINTEXT://peter-kafka01.foo.bar:9092,SSL://peter-kafka01.foo.bar:9093
ssl.truststore.location=/usr/local/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=peterpass
ssl.keystore.location=/usr/local/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=peterpass
ssl.key.password=peterpass
security.inter.broker.protocol=SSL
sudo systemctl restart kafka-server
openssl s_client -connect peter-kafka01.foo.bar:9093 -tls1 </dev/null 2>/dev/null | grep -E 'Verify return code'
cd /usr/local/kafka/ssl/
export SSLPASS=peterpass
sudo keytool -keystore kafka.client.truststore.jks -alias CARoot -importcert -file ca-cert -storepass $SSLPASS -keypass $SSLPASS
/usr/local/kafka/bin/kafka-topics.sh --bootstrap-server peter-kafka01.foo.bar:9092 --create --topic peter-test07 --partitions 1 --replication-factor 3
vi /home/ec2-user/ssl.config
security.protocol=SSL
ssl.truststore.location=/usr/local/kafka/ssl/kafka.client.truststore.jks
ssl.truststore.password=peterpass
/usr/local/kafka/bin/kafka-server-start.sh /usr/local/kafka/config/server.properties
cd ansible_playbook
ansible-playbook -i hosts kerberos.yml
sudo kadmin.local -qa "add_principal -randkey peter01@F00.BAR"
sudo kadmin.local -qa "add_principal -randkey peter02@F00.BAR"
sudo kadmin.local -q "add_principal -randkey admin@FOO.BAR"
sudo kadmin.local -q "add_principal -randkey kafka/peter-kafka01.foo.bar@FOO.BAR"
sudo kadmin.local -q "add_principal -randkey kafka/peter-kafka02.foo.bar@FOO.BAR"
sudo kadmin.local -q "add_principal -randkey kafka/peter-kafka03.foo.bar@FOO.BAR"
mkdir -p /home/ec2-user/keytabs/
sudo kadmin.local -q "ktadd -k /home/ec2-user/keytabs/peter01.user.keytab peter01@FOO.BAR"
sudo kadmin.local -q "ktadd -k /home/ec2-user/keytabs/peter02.user.keytab peter02@FOO.BAR"
sudo kadmin.local -q "ktadd -k /home/ec2-user/keytabs/admin.user.keytab admin@FOO.BAR"
sudo kadmin.local -q "ktadd -k /home/ec2-user/keytabs/peter-kafka01.service.keytab kafka/peter-kafka01.foo.bar@FOO.BAR"
sudo kadmin.local -q "ktadd -k /home/ec2-user/keytabs/peter-kafka02.service.keytab kafka/peter-kafka02.foo.bar@FOO.BAR"
sudo kadmin.local -q "ktadd -k /home/ec2-user/keytabs/peter-kafka03.service.keytab kafka/peter-kafka03.foo.bar@FOO.BAR"
sudo chown -R ec2-user.ec2-user keytabs
scp -i keypair.pem -r peter-zk01.foo.bar:~/keytabs /home/ec2-user
sudo mv keytabs /usr/loca/kafka
cat /etc/krb5.conf
kinit -kt /usr/local/kafka/keytabs/peter01.user.keytab peter01
klist
kinit -kt /usr/local/kafka/keytabs/peter-kafka01.service.keytab kafka/peter-kafka01.foo.bar
sudo vi/usr/local/kafka/config/server.properties
SASL_PLAINTEXT://0.0.0.0:9094
SASL_PLAINTEXT://peter-kafka01.foo.bar:9094
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanism=GSSAIP
sasl.kerberos.service.name=kafka
sudo vi /usr/local/kafka/config/kafka_server_jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/usr/local/kafka/keytabs/peter-kafka01.service.keytab"
principal="kafka/peter-kafka01.foo.bar@FOO.BAR";
};
sudo vi /usr/local/kafka/config/jmx
KAFKA_OPTS="-Djava.security.auth.login.config=/usr/local/kafka/config/kafka_server_jaas.conf"
sudo systemctl restart kafka-server
sudo netstat -ntlp | grep 9094
vi kafka_client_jaas.conf
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule requried
useTicketCache=true;
}
sasl.mechanism=GSSAPI
security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka
kinit -kt /usr/local/kafka/keytabs/peter01.user.keytab peter01
#### 메시지 전송
/usr/local/kafka/bin/kafka-console-producer.sh --bootstrap-server peter-kafka01.foo.bar:9094 --topic peter-test08 --producer.config kerberos.config
#### 메시지 컨슈밍
/usr/local/kafka/bin/kafka-console-consumer.sh --bootstrap-server peter-kafka01.foo.bar:9094 --topic peter-test08 --from-beginning --consumer . config kerberos.config
#### 티켓삭제
kdestroy
#### 티켓리스트 확인(삭제확인)
klist
#### 키 삭제되었으므로 컨슘 불가
/usr/local/kafka/bin/kafka-console-consumer.sh --bootstrap-server peter-kafka01.foo.bar:9094 --topic peter-test08 --from-begining --consumer . config kerberos.config
sudo vi /usr/kafka/config/server.properties
security.iter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
super.users=User:admin;User:kafka
sudo systemctl restart kafka-server
unset KAFKA_OPTS
/usr/local/kafka/bin/kafka-topics.sh --zookeeper peter-zk01.foo.bar:2181 --create --topic peter-test09 --partitions 1 --replication-factor 1
/usr/local/kafka/bin/kafka-topics.sh --zookeeper peter-zk01.foo.bar:2181 --create --topic peter-test10 --partitions 1 --replication-factor 1
### peter01, peter02, admin 유저로 ACL 규칙 및 테스트
- peter01유저는 peter-test09 토픽에 대해 읽기 쓰기
- peter02 유저는 peter-test10 토픽에 대해 읽기 쓰기
- admin 유저는 peter-test09, peter-test10 토픽에 대해 읽기 쓰기
/usr/local/kafka/bin/kafka-acls.sh --autorizer-properties zookeeper.connect=peter-zk01.foo.bar:2181 --add --allow-principal User:peter01 --operation Read --operation Writer --operation DESCRIBE --topic peter-test09
/usr/local/kafka/bin/kafka-acls.sh --autorizer-properties zookeeper.connect=peter-zk01.foo.bar:2181 --add --allow-principal User:peter02 --operation Read --operation Writer --operation DESCRIBE --topic peter-test10
/usr/local/kafka/bin/kafka-acls.sh --autorizer-properties zookeeper.connect=peter-zk01.foo.bar:2181 --list
kinit -kt /usr/local/kafka/keytabs/peter01.user.keytab peter01
export KAFKA_OPTS="-Djava.security.auth.login.config=/home/ec2-user/kafka_client_jaas.conf"
/usr/local/kafka/bin/kafka-console-producer.sh --bootstrap-server peter-kafka01.foo.bar:9094 --topic peter-test09 --producer.config kerberos.config
/usr/local/kafka/bin/kafka-console-producer.sh --bootstrap-server peter-kafka01.foo.bar:9094 --topic peter-test10 --producer.config kerberos.config
.. 이후 유저별 컨슘 테스트
9장 카프카 보안
카프카 보안의 3요소
암호화
SSL
을 이용![image](
인증(SASL-Simple Authentication and Security Layer)
권한(ACL)
SSL을 이용한 카프카 암호화
브로커 키스토어 생성
CA 인증서 생성
트러스트스토어 생성
인증서 서명
나머지 브로커에 대한 SSL 구성
브로커 설정에 SSL 추가
SSL 기반 메시지 전송
커버로스(SASL)를 이용한 카프카 인증